Mastering Kali Linux for Advanced Penetration Testing E-Book

Mastering Kali Linux for Advanced Penetration Testing Third Edition

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author(s), nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Rohit RajkumarContent Development Editor: Deepti ThoreTechnical Editor: Rudolph AlmeidaCopy Editor:Safis EditingProject Coordinator: Jagdish PrabhuProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Jisha ChirayilProduction Coordinator: Nilesh Mohite

First published: June 2014 Second edition: June 2017 Third edition: January 2019

Production reference: 1290119

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78934-056-3

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Vijay Kumar Velu is a passionate information security practitioner, author, speaker, investor, and blogger. He has more than 12 years of IT industry experience, is a licensed penetration tester, and is specialized in providing technical solutions to a variety of cyber problems, ranging from simple security configuration reviews to cyber threat intelligence. Vijay holds multiple security qualifications, including CEH, ECSA, and CHFI. He has authored a couple of books on penetration testing: Mastering Kali Linux for Advanced Penetration Testing – Second Edition, and Mobile Application Penetration Testing. For the community, Vijay serves as chair member in NCDRC, India. Out of work, he enjoys playing music and doing charity work.

Robert Beggs is the founder and CEO of DigitalDefence, a Canadian-focused company that specializes in preventing and responding to information security incidents. Robert is a security practitioner with more than 15 years of experience. He has been responsible for the technical leadership and project management of more than 300 consulting engagements, including policy development and review, standards compliance, penetration testing of wired and wireless networks, third party security assessments, incident response and data forensics, and other consulting projects. Previously, he provided security services for a major Canadian financial institution and Netigy, a global network and security infrastructure firm based in San Jose.

About the reviewer

Kunal Sehgal has been heading critical cyber security roles for financial organizations for over 15 years now. He is an avid blogger and a regular speaker on cyber-related topics across Asia. He also holds a bachelor's degree in computer applications from Panjab University, and a post-graduate diploma from Georgian College in cyber space security. He has numerous cyber certifications, including Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Tenable Certified Nessus Auditor (TCNA), Certificate of Cloud Security Knowledge (CCSK), ISO 27001 Lead Auditor, Offensive Security Certified Professional (OSCP), and CompTIA Security+.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Mastering Kali Linux for Advanced Penetration Testing Third Edition

Dedication

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Goal-Based Penetration Testing

Conceptual overview of security testing

Misconceptions of vulnerability scanning, penetration testing, and red team exercises

Objective-based penetration testing

The testing methodology

Introduction to Kali Linux – features

Role of Kali in red team tactics

Installing and updating Kali Linux

Using as a portable device

Installing Kali to Raspberry Pi 3

Installing Kali onto a VM

VMware Workstation Player

VirtualBox

Installing to a Docker Appliance

Kali on AWS Cloud

Organizing Kali Linux

Configuring and customizing Kali Linux

Resetting the root password

Adding a non-root user

Configuring network services and secure communications

Adjusting network proxy settings

Accessing the secure shell

Speeding up Kali operations

Sharing folders with the host operating system

Using Bash scripts to customize Kali

Building a verification lab

Installing defined targets

Metasploitable3

Mutillidae

Setting up an Active Directory and Domain Controller

Adding users to the Active Directory

Adding Metasploitable3 Windows to the new domain

Managing collaborative penetration testing using Faraday

Summary

Open Source Intelligence and Passive Reconnaissance

Basic principles of reconnaissance

Open source intelligence

Offensive OSINT

Domain gathering using Sublist3r

Maltego

OSRFramework

Web archives

Scraping

Gathering usernames and email addresses

Obtaining user information

Shodan and censys.io

Google Hacking Database

Using dork scripts to query Google

Data dump sites

Using scripts to automatically gather OSINT data

Defensive OSINT

Dark web

Security breaches

Threat intelligence

Profiling users for password lists

Creating custom wordlists for cracking passwords

Using CeWL to map a website

Extracting words from Twitter using twofi

Summary

Active Reconnaissance of External and Internal Networks

Stealth scanning strategies

Adjusting source IP stack and tool identification settings

Modifying packet parameters

Using proxies with anonymity networks

DNS reconnaissance and route mapping

The whois command (Post GDPR)

Employing comprehensive reconnaissance applications

The recon-ng framework

IPv4

IPv6

Using IPv6-specific tools

Mapping the route to the target

Identifying the external network infrastructure

Mapping beyond the firewall

IDS/IPS identification

Enumerating hosts

Live host discovery

Port, operating system, and service discovery

Port scanning

Writing your own port scanner using netcat

Fingerprinting the operating system

Determining active services

Large-scale scanning

DHCP information

Identification and enumeration of internal network hosts

Native MS Windows commands

ARP broadcasting

Ping sweep

Using scripts to combine masscan and nmap scans

Taking advantage of SNMP

Windows account information via SMB (Server Message Block) sessions

Locating network shares

Reconnaissance of active directory domain servers

Using comprehensive tools (SPARTA)

An example to configure SPARTA

Summary

Vulnerability Assessment

Vulnerability nomenclature

Local and online vulnerability databases

Vulnerability scanning with Nmap

Introduction to Lua scripting

Customizing NSE scripts

Web application vulnerability scanners

Introduction to Nikto and Vega

Customizing Nikto and Vega

Vulnerability scanners for mobile applications

The OpenVAS network vulnerability scanner

Customizing OpenVAS

Commercial vulnerability scanners

Nessus

Nexpose 

Specialized scanners

Threat modeling

Summary

Advanced Social Engineering and Physical Security

Methodology and attack methods

Technology

Computer-based

Mobile-based

People-based

Physical attacks

Voice-based

Physical attacks at the console

samdump2 and chntpw

Sticky keys

Creating a rogue physical device

Microcomputer or USB-based attack agents

The Raspberry Pi

The MalDuino – the BadUSB

The Social Engineering Toolkit (SET)

Using a website attack vector – the credential harvester attack method

Using a website attack vector – the tabnabbing attack method

HTA attack

Using the PowerShell alphanumeric shellcode injection attack

Hiding executables and obfuscating the attacker's URL

Escalating an attack using DNS redirection

Spear phishing attack

Setting up a phishing campaign with Gophish

Launching a phishing attack

Using bulk transfer as a mode of phishing

Summary

Wireless Attacks

Configuring Kali for wireless attacks

Wireless reconnaissance

Kismet

Bypassing a hidden SSID

Bypassing the MAC address authentication and open authentication

Attacking WPA and WPA2

Brute-force attacks

Attacking wireless routers with Reaver

Denial-of-service (DoS) attacks against wireless communications

Compromising enterprise implementations of WPA/WPA2

Working with Ghost Phisher

Summary

Exploiting Web-Based Applications

Web application hacking methodology

The hacker's mind map

Reconnaissance of web apps

Detection of web application firewall and load balancers

Fingerprinting a web application and CMS

Mirroring a website from the command line

Client-side proxies

Burp Proxy

Web crawling and directory brute-force attacks

Web service-specific vulnerability scanners

Application-specific attacks

Brute-forcing access credentials

Injection

OS command injection using commix

SQL injection

XML injection

Bit-flipping attack

Maintaining access with web shells

Summary

Client-Side Exploitation

Backdooring executable files

Attacking a system using hostile scripts

Conducting attacks using VBScript

Attacking systems using Windows PowerShell

The Cross-Site Scripting framework

The Browser Exploitation Framework (BeEF)

Configuring the BeEF

Understanding BeEF Browser

Integrating BeEF and Metasploit attacks

Using BeEF as a tunneling proxy

Summary

Bypassing Security Controls

Bypassing Network Access Control (NAC)

Pre-admission NAC

Adding new elements

Identifying the rules

Exceptions

Quarantine rules

Disabling endpoint security

Preventing remediation

Adding exceptions

Post-admission NAC

Bypassing isolation

Detecting honeypot

Bypassing the antivirus with files

Using the Veil framework

Using Shellter

Going fileless and evading antivirus

Bypassing application-level controls

Tunneling past client-side firewalls using SSH

Inbound to outbound

Bypassing URL filtering mechanisms

Outbound to inbound

Bypassing Windows operating system controls

User Account Control (UAC)

Using fileless techniques

Using fodhelper to bypass UAC in Windows 10

Using Disk Cleanup to bypass UAC in Windows 10

Other Windows-specific operating system controls

Access and authorization

Encryption

System security

Communications security

Auditing and logging

Summary

Exploitation

The Metasploit Framework

Libraries

REX

Framework core

Framework base

Interfaces

Modules

Database setup and configuration

Exploiting targets using MSF

Single targets using a simple reverse shell

Single targets using a reverse shell with a PowerShell attack vector

Exploiting multiple targets using MSF resource files

Exploiting multiple targets with Armitage

Using public exploits

Locating and verifying publicly available exploits

Compiling and using exploits

Compiling C files

Adding the exploits that are written using the MSF as a base

Developing a Windows exploit

Identifying a vulnerability using fuzzing

Creating a Windows-specific exploit

Summary

Action on the Objective and Lateral Movement

Activities on the compromised local system

Conducting rapid reconnaissance of a compromised system

Finding and taking sensitive data – pillaging the target

Creating additional accounts

Post-exploitation tools

The Metasploit Framework

The Empire project

CrackMapExec

Horizontal escalation and lateral movement

Veil-Pillage

Compromising domain trusts and shares

PsExec, WMIC, and other tools

WMIC

Windows Credential Editor

Lateral movement using services

Pivoting and port forwarding

Using Proxychains

Summary

Privilege Escalation

Overview of the common escalation methodology

Escalating from domain user to system administrator

Local system escalation

Escalating from administrator to system

DLL injection

Credential harvesting and escalation attacks

Password sniffers

Responder

SMB relay attacks

Escalating access rights in Active Directory

Compromising Kerberos – the golden-ticket attack

Summary

Command and Control

Persistence

Using persistent agents

Employing Netcat as a persistent agent

Using schtasks to configure a persistent task

Maintaining persistence with the Metasploit framework

Using the persistence script

Creating a standalone persistent agent with Metasploit

Persistence using online file storage cloud services

Dropbox

Microsoft OneDrive

Domain fronting

Using Amazon CloudFront for C2

Using Microsoft Azure for C2

Exfiltration of data

Using existing system services (Telnet, RDP, and VNC)

Using the DNS protocol

Using the ICMP protocol

Using the Data Exfiltration Toolkit (DET)

Using PowerShell

Hiding evidence of an attack

Summary

Embedded Devices and RFID Hacking

Embedded systems and hardware architecture

Embedded system basic architecture

Understanding firmware

Different types of firmware

Understanding bootloaders

Common tools

Firmware unpacking and updating

Introduction to RouterSploit Framework

UART

Cloning RFID using Chameleon Mini

Other tools

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

This book is dedicated to the use of Kali Linux in performing penetration tests against networks, systems, and applications. A penetration test simulates an attack against a network or a system by a malicious outsider or insider. Unlike a vulnerability assessment, penetration testing is designed to include the exploitation phase. Therefore, it proves that the exploit is present, and that it is accompanied by the very real risk of being compromised if not acted upon.

In short, this book will take you through a journey of penetration testing, with a number of proven techniques for defeating the latest network defenses using Kali Linux, from selecting the most effective tools, to rapidly compromising network security, to highlighting the techniques used to avoid detection.

Who this book is for

If you are a penetration tester, IT professional, or security consultant wanting to maximize the success of your network testing by using some of the advanced features of Kali Linux, then this book is for you. Some prior exposure to the basics of penetration testing and ethical hacking would be helpful in making the most out of this title.

What this book covers

Chapter 1, Goal-Based Penetration Testing with Kali Linux, introduces a functional outline, based on the penetration-testing methodology, that will be used throughout the book. It ensures that a coherent and comprehensive approach to penetration testing will be followed.

Chapter 2, Open Source Intelligence and Passive Reconnaissance, provides background on how to gather information about a target using publicly-available sources, and discusses the tools that can simplify reconnaissance and information management.

Chapter 3, Active Reconnaissance of the External and Internal Networks, introduces you to stealthy approaches that can be used to gain information about the target, especially the information that identifies vulnerabilities to be exploited.

Chapter 4, Vulnerability Assessment, teaches you the semi-automated process of scanning a network and its devices to locate systems that are vulnerable to attack and compromise, and the process of taking all reconnaissance and vulnerability scan information, assessing it, and then creating a map to guide the penetration-testing process.

Chapter 5, Advanced Social Engineering and Physical Security, demonstrates why being able to physically access a system or interact with the humans who manage it provides the most successful route to exploitation.

Chapter 6, Wireless Attacks, provides a brief explanation of wireless technologies, and focuses instead on the common techniques used to compromise these networks by bypassing security.

Chapter 7, Exploiting Web-Based Applications, provides a brief overview of one of the most complex delivery phases to secure: web-based applications that are exposed to the public internet.

Chapter 8, Client-Side Exploitation, focuses on attacks against applications on the end user's systems, which are frequently not protected to the same degree as the organization's primary network.

Chapter 9, Bypassing Security Controls, demonstrates the most common security controls in place, identifies a systematic process for overcoming these controls, and demonstrates this using the tools from the Kali toolset.

Chapter 10, Exploitation, demonstrates the methodologies that can be used to find and execute exploits that allow a system to be compromised by an attacker.

Chapter 11, Action on the Objective, focuses on the immediate post-exploit activities, as well as the concept of horizontal escalation—the process of using an exploited system as a starting point to jump off to other systems on the network.

Chapter 12, Privilege Escalation, demonstrates how the penetration tester can own all aspects of a system's operations, and more importantly, how obtaining some access privileges will allow the tester to control all systems across a network.

Chapter 13, Command and Control, focuses on what a modern attacker would do to enable data to be exfiltrated to the attacker's location, while hiding the evidence of the attack.

Chapter 14, Embedded Devices and RFID Hacking, focuses on what a modern attacker would do to perform a structured attack on embedded devices, as well as the cloning of NFC cards, to achieve an objective.

To get the most out of this book

In order to practice the material presented in this book, you will need virtualization tools such as VMware or VirtualBox.

You will need to download and configure the Kali Linux operating system and its suite of tools. To ensure that it is up to date and that you have all of the tools, you will need an internet connection.

Sadly, not all of the tools on the Kali Linux system will be addressed, since there are just too many of them. The focus of this book is not to overwhelm you with all of the tools and options, but to provide an approach for testing that will give you the opportunity to learn and incorporate new tools as your experiences and knowledge increases over time.

Although most of the examples from this book focus on Microsoft Windows, the methodology and most of the tools are transferable to other operating systems, such as Linux and the other flavors of Unix.

Finally, this book applies Kali to complete the attacker's kill-chain against target systems. For this, you will need a target operating system. Many of the examples in the book use Microsoft Windows 7 and Windows 2008 R2.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Mastering-Kali-Linux-for-Advanced-Penetration-Testing-Third-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789340563_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "For example, we have used the netcat command."

A block of code is set as follows:

<!DOCTYPE foo [ <!ENTITY Variable "hello" > ]><somexml><message>&Variable;</message></somexml>

Any command-line input or output is written as follows:

chmod 600 privatekey.pem

ssh -i privatekey.pem ec2-user@amazon-dns-ip

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Right-click on the folder and select the Sharing tab. From this menu, select Share."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book to perform illegal activities if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

The features explained in the book are based on the meta-packages version of Kali Linux 2019.1, this is not the official release by Offensive Security.

Goal-Based Penetration Testing

Everything starts with a goal. In this chapter, we will discuss the importance of goal-based penetration testing with a set of objectives and discuss misconceptions and how a typical vulnerability scan, penetration testing, and red teaming exercise can fail without the importance of a goal. This chapter also provides an overview of security testing and setting up a verification lab and focuses on customizing Kali to support some advanced aspects of penetration testing. By the end of this chapter, you'll have learned the following:

An overview of security testing

Misconceptions of vulnerability scanning, penetration testing, and red teaming exercises

History and purpose of Kali Linux

Updating and organizing Kali

Setting up defined targets

Building a verification lab

Conceptual overview of security testing

Every household, individual and public and private business in the world has something to worry about in cyber space, such as privacy, data loss, malware, cyber terrorism, and identity theft. Everything starts with a concept of protection; if you ask the question "What is security testing?" to 100 different security consultants, it is very likely that you'll hear different responses. In the simplest form, security testing is a process to determine that any information asset or system is protected and its functionality is maintained as intended.

Misconceptions of vulnerability scanning, penetration testing, and red team exercises

In this section, we will discuss some misconceptions and limitations on traditional/classical vulnerability scanning, penetration testing, and red teaming exercises. Let's now understand the actual meaning of all of these three in simple terms and their limitations:

Vulnerability scanning (Vscan)

: It is a process of identifying vulnerabilities or security loopholes in a system or network. One of the misconceptions about Vscan is that it will let you know all of the known vulnerabilities; well, it's not true. Limitations with Vscan are only potential vulnerabilities and it purely depends on the type of scanner that one utilizes; it might also include lots of false positives and, to the business owner, there is no clear vision on whether they are relevant risks or not and which one will be utilized by the attackers first to gain access.

Penetration testing (Pentest)

: It is a process of safely exploiting vulnerabilities without much impact to the existing network or business. There is a lower number of false positives since the testers will try and simulate the exploit. Limitations with the pentest are only currently known, publicly available exploits and mostly these are project-focused testing. We often hear from pentesters during an assessment, 

"Yay! Got Root"—

but we never question: 

What's next?

 This could be due to various reasons, such as the project limits you to report the high-risk issues immediately to the client or the client is interested in only one segment of the network and wants you to test that.

Red Team Exercise (RTE)

: It is a process of evaluating the effectiveness of an organization to defend against cyber threats and improve its security by any possible means; during an RTE, we can notice multiple ways of achieving project objectives and goals, such as complete coverage of activities with the defined project goal, including phishing, wireless, disk drops (USB, CD, and SSD), and physical penetration testing. The limitations with RTEs are time-bound, pre-defined scenarios and an assumed rather than real environment. Often, the RTE is run with a fully monitored mode for every technique and tactics are executed according to the procedure, but this isn't the case when a real attacker wants to achieve an objective.

Often, all three different testing methodologies refer to the term hack or compromise. We will hack your network and show you where your weaknesses are; but wait, does the client or business owner understand the term hack or compromise? How do we measure it? What are the criteria? And when do we know that the hack or compromise is complete? All the questions point to only one thing: what's the primary goal?

Objective-based penetration testing

The primary goal of a pentest/RTE is to determine the real risk, differentiating the risk rating from the scanner and giving a business risk value for each asset, along with the brand image of the organization. It's not about whether how much risk they have; rather, it's about how much they are exposed. A threat that has been found does not really constitute a risk and need not be demonstrated. For example, a Cross-Site Scripting (XSS) on a brochure website may not have significant impact on the business; however, a client might accept the risk to put in a mitigation plan using a Web Application Firewall (WAF) to prevent the XSS attacks.

While objective-based penetration testing is time-based, depending on the specific problem that an organization faces, an example of an objective is: We are most worried about the online portal and fraud transactions. So, the objective now is to compromise the portal or administrators through phishing or take over the approval chains through a system flaw. Every objective comes with its own tactics, techniques, and procedures that will support the primary goal of the penetration test activity. We will be exploring all of the different ways throughout this book using Kali Linux.

The testing methodology

Methodologies rarely consider why a penetration test is being undertaken or which data is critical to the business and needs to be protected. In the absence of this vital first step, penetration tests lose focus.

Many penetration testers are reluctant to follow a defined methodology, fearing that it'll hinder their creativity in exploiting a network. Penetration testing fails to reflect the actual activities of a malicious attacker. Frequently, the client wants to see whether you can gain administrative access to a particular system (Can you root the box?). However, the attacker may be focused on copying critical data in a manner that does not require root access or cause a denial of service.

To address the limitations inherent in formal testing methodologies, they must be integrated in a framework that views the network from the perspective of an attacker, the kill chain.

In 2009, Mike Cloppert of Lockheed Martin CERT introduced the concept that is now known as the attacker kill chain. This includes the steps taken by an adversary when they are attacking a network. It does not always proceed in a linear flow as some steps may occur in parallel. Multiple attacks may be launched over time at the same target, and overlapping stages may occur at the same time.

In this book, we've modified Cloppert's kill chain to more accurately reflect how attackers apply these steps when exploiting networks, application, and data services.

The following diagram shows a typical kill chain of an attacker:

A typical kill chain of an attacker can be described as follows:

Explore or reconnaissance phase

: The adage,

reconnaissance time is never wasted time

, adopted by most military organizations, acknowledges that it is better to learn as much as possible about an enemy before engaging them. For the same reason, attackers will conduct extensive reconnaissance of a target before attacking. In fact, it is estimated that at least 70 percent of the work effort of a penetration test or an attack is spent conducting reconnaissance! Generally, they will employ two types of reconnaissance:

Passive

: This does not directly interact with the target in a hostile manner. For example, the attacker will review the publicly available website(s), assess online media (especially social media sites), and attempt to determine the

attack surface 

of the target. One particular task will be to generate a list of past and current employee names. These names will form the basis of attempts to brute force or guess passwords. They will also be used in social engineering attacks. This type of reconnaissance is difficult, if not impossible, to distinguish from the behavior of regular users.

Active

: This can be detected by the target but it can be difficult to distinguish most online organizations' faces from the regular backgrounds. Activities occurring during active reconnaissance include physical visits to target premises, port scanning, and remote vulnerability scanning.

Delivery phase

: Delivery is the selection and development of the weapon that will be used to complete the exploit during the attack. The exact weapon chosen will depend on the attacker's intent as well as the route of delivery (for example, across the network, via wireless, or through a web-based service). The impact of the delivery phase will be examined in the second half of this book.

Exploit or compromise phase

: This is the point when a particular exploit is successfully applied, allowing attackers to reach their objective. The compromise may have occurred in a single phase (for example, a known operating system vulnerability was exploited using a buffer overflow), or it may have been a multiphase compromise (for example, an attacker physically accessed premises to steal a corporate phone book. The names were used to create lists for brute force attacks against a portal logon. In addition, emails were sent to all employees to click on an embedded link to download a crafted PDF file that compromised their computers). Multiphase attacks are the norm when a malicious attacker targets a specific enterprise.

Achieve phase – Action on the Objective

: This is frequently, and incorrectly, referred to as the exfiltration phase because there is a focus on perceiving attacks solely as a route to steal sensitive data (such as login information, personal information, and financial information); it is common for an attacker to have a different objective. For example, a business may wish to cause a denial of service in their competitor's network to drive customers to their own website. Therefore, this phase must focus on the many possible actions of an attacker. One of the most common exploit activity occurs when the attackers attempt to improve their access privileges to the highest possible level (vertical escalation) and to compromise as many accounts as possible (horizontal escalation).

Achieve phase – Persistence

: If there is value in compromising a network or system, then that value can likely be increased if there is persistent access. This allows attackers to maintain communications with a compromised system. From a defender's point of view, this is the part of the kill chain that is usually the easiest to detect.

Kill chains are metamodels of an attacker's behavior when they attempt to compromise a network or a particular data system. As a metamodel, it can incorporate any proprietary or commercial penetration testing methodology. Unlike the methodologies, however, it ensures a strategic-level focus on how an attacker approaches the network. This focus on the attacker's activities will guide the layout and content of this book.

Introduction to Kali Linux – features

Kali Linux (Kali) is the successor to the BackTrack penetration testing platform that is generally regarded as the de facto standard package of tools used to facilitate penetration testing to secure data and voice networks. It was developed by Mati Aharoni and Devon Kearns of Offensive Security. 

In 2018, Kali had four major releases—as of December 2018. The Kali 2018.1 release was on Feb 6 2018 with kernel 4.14.13 and Gnome 3.26.2. The Kali 2018.2 rolling release was on April 30 2018 with Kernel 4.15 that beats the Spectre and meltdown vulnerabilities on x64 and x86 machines, and Kali 2018.3 on August 21 2018 just after the Hacker summer camp. This brings the kernel version to 4.17.0 with minimal addition to the kernel and the final release Kali 2018.4 for the year was on Oct 29 2018 with an experimental Raspberry Pi 3 image that supports 64 bit mode and updated packages of other tools.

Some features of the latest Kali include the following:

Over 500 advanced penetration testing, data forensics, and defensive tools are included. The majority of the tools are eliminated and replaced by similar tools. They provide extensive wireless support with multiple hardware and kernel patches to permit the packet injection required by some wireless attacks.

Support for multiple desktop environments such as KDE, GNOME3, Xfce, MATE, e17, lxde, and i3wm.

By default, Kali Linux has Debian-compliant tools that are synchronized with the Debian repositories at least four times daily, making it easier to update packages and apply security fixes.

There are secure Development Environment and GPG signed packages and repositories.

There's support for ISO customization, allowing users to build their own versions of customized Kali with a limited set of tools, to make it lightweight. The bootstrap function also performs enterprise-wide network installs that can be automated using pre-seed files.

Since ARM-based systems have become more prevalent and less expensive, the support for

ARMEL

and

ARMHF

in Kali to be installed on devices such as rk3306 mk/ss808, Raspberry Pi, ODROID U2/X2, Samsung Chromebook, EfikaMX, Beaglebone Black, CuBox, and Galaxy Note 10.1 was introduced.

Kali always remains an open source project that is free. Most importantly, it is well supported by an active online community.

Role of Kali in red team tactics

While pentesters can prefer any type of operating system to perform their desired activity, usage of Kali Linux saves significant time and prevents the need to search for packages that aren't typically available for other operating systems. Some of the advantages that are not noticed with Kali during a red team are the following:

One single source to attack various platforms

Quick to add sources and install packages and supporting libraries (especially those that are not available for Windows)

Possible to install even the RPM packages with the usage of

alien

The purpose of Kali Linux is to secure things and bundle all of the tools to provide a single platform for penetration testers.

Installing and updating Kali Linux

In the last edition, we focused on the installation of Kali Linux to VMware player, VirtualBox, and Amazon AWS and using the Docker appliance. In this section, we will touch base on installing on the same platforms along with Raspberry Pi 3.

Using as a portable device

It is fairly simple to install Kali Linux onto a portable device. In some situations, clients do not permit the use of an external laptop inside a secure facility. In those cases, typically a testing laptop is provided by the client to the pentester to perform the scan. Running Kali Linux from a portable device has more advantages during a pentest or RTE:

It's in the pocket, in case of a USB or mobile device

It can be run live without making any changes to the host operating system

You can customize the build of Kali Linux and you can even make the storage persistent

There are a simple three steps to make a USB into a portable Kali from a Windows PC:

Download the official Kali Linux image from: 

http://docs.kali.org/introduction/download-official-kali-linux-images

.

Download Win32 Disk Imager from: 

https://sourceforge.net/projects/win32diskimager/

. We will be using Win32 Disk Imager 1.0.

Open the Win32 Disk Imager as administrator. Plug the USB drive into the PC's available USB port. Browse to the location where you've downloaded your image. You should be able to see what's shown in the following screenshot. Select the right drive name and then click

W

rite

:

Once complete, exit the Win32 Disk Imager and safely remove the USB. The Kali Linux is now ready as a portable device to be plugged into any laptop to boot it up live. It is also possible to generate a hash value using the Win32 Disk Imager. If your host operating system is Linux this can be achieved by two standard commands:

sudo fdisk -l

This will display all of the disks mounted on the drive:

dd if=kali linux.iso of=/dev/nameofthedrive bs=512k

That's it. The dd command-line utility does the convert and copy, if is used for input file , of is for output file, and bs is for the block size.

Installing Kali to Raspberry Pi 3

Raspberry Pis are single board devices that are compact in nature and can run just like a fully loaded computer with minimal functionalities. These devices are extremely useful during RTE and penetration testing activities. The base of the operating system is loaded from a SD card just like a hard disk drive for normal computers/laptops.

The same steps as those outlined in the previous section, Using as a portable device, can be performed on a high speed SD card that can be plugged into a Raspberry Pi. We are ready to use the system without any issues. If the installation is successful, the following screen must be present when Kali Linux is booted from a Raspberry Pi. We've used Raspberry Pi 3 for this demonstration and accessed the Pi Operating system using VNC viewer:

Installing Kali onto a VM

In this section, we will take a quick tour of how to install Kali onto VMware Workstation Player and Oracle VirtualBox.

VMware Workstation Player

VMware Workstation Player, formerly known as VMware Player, is free for personal use and a commercial product for business use from VMware as a desktop application that allows us to run a VM inside your host operating system. This application can be downloaded from: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0.

We will be using version 12.5.9 VMware Workstation Player. Once the installer is downloaded, go ahead and install the VMware Player accordingly, based on your host operating system. If the installation is complete, you should have the following screen:

The next step to install the Kali-Linux to VMware is to click on Create a New Virtual machine and select Installer disc image file (iso). Browse your ISO file that was downloaded and then click Next. You can now enter the name of your choice (for example, HackBox) and select the Custom Location where you would like to store your VMware image. Click Next and then you'll specify the disk capacity. It is recommended that a minimum of 10 GB is needed to run Kali. Click Next until you finish.

Another way is to directly download the VMware image and open the .vmx file and select I copied it. That should boot up the fully loaded Kali Linux in VMware.

You can either choose to install the Kali-Linux to the host operating system or run it as a live image. Once all of the installation steps are complete, you are ready to launch Kali Linux from VMware without any problem, as shown in the following screenshot:

VirtualBox

Similar to VMware workstation player, VirtualBox is the hypervisor that is completely open source and a free desktop application from which you can run any VM from the host operating system. This application can be downloaded from: https://www.virtualbox.org/wiki/Downloads.

We will now go ahead and install Kali to VirtualBox. Similar to VMware, we will just execute the downloaded executable until we have a successful installation of Oracle VirtualBox, as shown in the following screenshot:

During installation, it is recommended that the RAM be set to at least 1 or 2 GB, and that you create the virtual hard drive with a minimum of 10 GB to have no performance issues. After the final step, you should be able to load Kali Linux in VirtualBox, as shown in the following screenshot:

Installing to a Docker Appliance

Docker is an open source project that is designed to automate the deployment of software containers and applications instantly. Docker also provides the additional abstraction and automation layer of operating system-level virtualization on Linux.

Docker is available for Windows, Mac, Linux, AWS (Amazon Web Services), and Azure. For Windows, Docker can be downloaded from: https://download.docker.com/.

After the Docker installation, it should be fairly simple to run Kali Linux by running the docker pull kalilinux/kali-linux-docker and docker run -t -i kalilinux/kali-linux-docker /bin/bashcommands to confirm installation.

We should be able to run Kali Linux directly from Docker as shown in the following screenshot. Also, note that Docker utilizes the VirtualBox environment in the background. So, technically, it is a VM running on VirtualBox through the Docker appliance:

Once the Docker download is complete, you can run the Docker image by running docker run -t -i kalilinux/kali-linux-docker /bin/bash. You should be able to see what's shown in the following screenshot:

Ensure that VT-X is enabled on your system BIOS and Hyper-V is enabled on Windows. Do note that enabling Hyper-V will disable VirtualBox, as shown in the following screenshot:

Kali on AWS Cloud

Amazon Web Services(AWS) provide Kali Linux as part of Amazon Machine Interface (AMI) and Software as a Service (SaaS). A penetration tester or hacker can utilize AWS to conduct penetration testing and more efficient phishing attacks. In this section, we will go through the steps to bring up the Kali Linux on AWS.

First, you'll need to have a valid AWS account. You can sign up by visiting the following URL: https://console.aws.amazon.com/console/home.

When we log in to the AWS account, we should be able to see all of the AWS services. Search for Kali Linux. You'll see the following as per the screenshot, https://aws.amazon.com/marketplace/pp/B01M26MMTT:

The open source community has made it very simple to directly launch with pre-configured Kali Linux 2018.1 in the Amazon marketplace. The following URL will take us to a direct launch of Kali-Linux within a few minutes, https://aws.amazon.com/marketplace/pp/B01M26MMTT. Follow the instructions and then you should be able to launch the instance by selecting Continue to Subscribe. This should take you to the following option to select as shown in the following screenshot. Finally, just click Launch:

Before you launch Kali Linux 2018.3 from AWS, it is recommended that you create a new key pair as shown in the following screenshot:

As usual, to use any AWS VM, you must create your own key pair in order to ensure the security of the environment. Then, you should be able to log in by entering the following command from your command shell. In order to use the private key to log in without the password, Amazon enforces the file permission to be tunneled. We will use the following commands to connect to the Kali Linux instance:

chmod 600 privatekey.pem

ssh -i privatekey.pem ec2-user@amazon-dns-ip

The following screenshot depicts the successful usage of Kali on AWS:

Organizing Kali Linux

Installation is just the beginning of the setup, as organizing Kali Linux is very important. In this section, we will deep dive into different ways of organizing the HackBox through customization.

Configuring and customizing Kali Linux

Kali is a framework that is used to complete a penetration test. However, the tester should never feel tied to the tools that have been installed by default or by the look and feel of the Kali desktop. By customizing Kali, a tester can increase the security of client data that is being collected and make it easier to do a penetration test.

Common customization made to Kali include the following:

Resetting the root password

Adding a non-root user

Configuring network services and secure communications

Adjusting network proxy settings

Accessing the secure shell

Speeding up Kali operations

Sharing folders with MS Windows

Creating encrypted folders

Resetting the root password

To change a user password, use the following command:

passwd root

You'll then be prompted to enter a new password, as shown in the following screenshot:

Adding a non-root user

Many of the applications provided in Kali must run with root-level privileges in order to function. Root-level privileges do possess a certain amount of risk; for example, mistyping a command or using the wrong command can cause applications to fail or even damage the system being tested. In some cases, it is preferable to test with user-level privileges. In fact, some applications force the use of lower-privilege accounts.

To create a non-root user, you can simply use the addusercommand from the Terminal and follow the instructions that appear, as shown in the following screenshot:

Configuring network services and secure communications

The first step to ensure that we are able to access the network is to make sure that it has connectivity to either a wired or wireless network to support updates and communications.

You may need to obtain an IP address through DHCP (Dynamic Host Configuration Protocol) by appending network configuration and adding the Ethernet adapter:

# nano /etc/network/interfaces

iface eth0 inet dhcp

Once the network configuration file is appended, you should be able to bring up the ifup script to automatically assign the IP address as shown in the following screenshot:

In the case of a static IP, you can append the same network configuration file with the following lines and quickly set up a static IP to your Kali Linux:

# nano /etc/network/interfaces

iface eth0 inet static

address <your address>

netmask <subnet mask>

broadcast <broadcast mask>

gateway <default gateway>

# nano /etc/resolv.conf

nameserver <your DNS ip> or <Google DNS (8.8.8.8)>

By default, Kali does not start with the DHCP service enabled. Doing so announces the new IP address to the network, and this may alert administrators about the presence of the tester. For some test cases, this may not be an issue, and it may be advantageous to have certain services start automatically during boot up. This can be achieved by entering the following commands:

update-rc.d networking defaults

/etc/init.d/networking restart

Kali installs with network services that can be started or stopped as required, including DHCP, HTTP, SSH, TFTP, and the VNC server. These services are usually invoked from the command line, however, some are accessible from the Kali menu.

Adjusting network proxy settings

Users located behind an authenticated or unauthenticated proxy connection must modify bash.bashrc and apt.conf. Both files are located in the /etc/ directory.

Edit the bash.bashrc file, as shown in the following screenshot, using a text editor to add the following lines to the bottom of the bash.bashrc file:

export ftp_proxy="ftp://username:password@proxyIP:port"export http_proxy="http://username:password@proxyIP:port"export https_proxy="https://username:password@proxyIP:port"export socks_proxy="https://username:password@proxyIP:port"

Replace proxyIP and port with your proxy IP address and port number respectively, and replace user and password with your authentication username and password. If there's no need to authenticate, write only the part following the @ symbol. Save and close the file.

Accessing the secure shell

To minimize detection by a target network during testing, Kali does not enable any externally listening network services. Some services, such as Secure Shell (SSH), are already installed. However, they must be enabled prior to use.

Kali comes preconfigured with default SSH keys. Before starting the SSH service, it's a good idea to disable the default keys and generate a unique keyset for use.

Move the default SSH keys to a backup folder, and then generate a new SSH keyset using the following command:

dpkg-reconfigure openssh-server

To confirm the SSH service is running, you can verify using the following command (service ssh status) as shown in the following screenshot:

Note that, with the default configuration of SSH, root login will be disabled. If you require access with the root account, you may have to edit /etc/ssh/sshd_config and set PermitRootLogin to yes, save, and then exit. Finally, from any system on the same network, you should be able to access the SSH service and utilize Kali Linux. In this example, we would use PuTTY, which is a free and portable SSH client for windows. Now you should be able to access the Kali Linux from another machine, accept the SSH certificate, and enter your credentials, as shown in the following screenshot:

Speeding up Kali operations

Several tools can be used to optimize and speed up Kali operations:

When using a VM, install the VM's software drive package: Guest Additions (VirtualBox) or VMware Tools (VMware).

When creating a VM, select a fixed disk size instead of one that is dynamically allocated. It is faster to add files to a fixed disk, and there is less file fragmentation.

By default, Kali does not show all applications that are present in the start up menu. Each application that is installed during the boot up process slows the system data and may impact memory use and system performance. Install

Boot Up Manager

(

BUM

) to disable unnecessary services and applications that are enabled during the boot up (

apt-get install bum

), as shown in the following screenshot:

Sharing folders with the host operating system